From c0176aeab391beb82ee890d4950969caf9993dcc Mon Sep 17 00:00:00 2001 From: Nick Fagerlund Date: Wed, 18 Dec 2019 11:26:10 -0800 Subject: [PATCH] website: Revise sensitive data in state page --- website/docs/state/sensitive-data.html.md | 46 ++++++++++------------- 1 file changed, 19 insertions(+), 27 deletions(-) diff --git a/website/docs/state/sensitive-data.html.md b/website/docs/state/sensitive-data.html.md index 854df573e..f5ccaa116 100644 --- a/website/docs/state/sensitive-data.html.md +++ b/website/docs/state/sensitive-data.html.md @@ -8,41 +8,33 @@ description: |- # Sensitive Data in State -Terraform state can contain sensitive data depending on the resources in-use +Terraform state can contain sensitive data, depending on the resources in use and your definition of "sensitive." The state contains resource IDs and all resource attributes. For resources such as databases, this may contain initial passwords. -When using local state, state is stored in plain-text JSON files. When -using [remote state](/docs/state/remote.html), state is only ever held in memory when used by Terraform. -It may be encrypted at rest but this depends on the specific remote state -backend. +When using local state, state is stored in plain-text JSON files. -It is important to keep this in mind if you do (or plan to) store sensitive -data (e.g. database passwords, user passwords, private keys) as it may affect -the risk of exposure of such sensitive data. +When using [remote state](/docs/state/remote.html), state is only ever held in +memory when used by Terraform. It may be encrypted at rest, but this depends on +the specific remote state backend. ## Recommendations -Storing state remotely may provide you encryption at rest depending on the -backend you choose. As of Terraform 0.9, Terraform will only hold the state -value in memory when remote state is in use. It is never explicitly persisted -to disk. +If you manage any sensitive data with Terraform (like database passwords, user +passwords, or private keys), treat the state itself as sensitive data. -For example, encryption at rest can be enabled with the S3 backend and IAM -policies and logging can be used to identify any invalid access. Requests for -the state go over a TLS connection. +Storing state remotely can provide better security. As of Terraform 0.9, +Terraform does not persist state to the local disk when remote state is in use, +and some backends can be configured to encrypt the state data at rest. -[Terraform Cloud](https://www.hashicorp.com/products/terraform/) is -a commercial product from HashiCorp that also acts as a [backend](/docs/backends) -and provides encryption at rest for state. Terraform Cloud also knows -the identity of the user requesting state and maintains a history of state -changes. This can be used to provide access control and detect any breaches. +For example: -## Future Work - -Long term, the Terraform project wants to further improve the ability to -secure sensitive data. There are plans to provide a -generic mechanism for specific state attributes to be encrypted or even -completely omitted from the state. These do not exist yet except on a -resource-by-resource basis if documented. +- [Terraform Cloud](/docs/cloud/index.html) always encrypts state at rest and + protects it with TLS in transit. Terraform Cloud also knows the identity of + the user requesting state and maintains a history of state changes. This can + be used to control access and track activity. [Terraform Enterprise](/docs/enterprise/index.html) + also supports detailed audit logging. +- The S3 backend supports encryption at rest when the `encrypt` option is + enabled. IAM policies and logging can be used to identify any invalid access. + Requests for the state go over a TLS connection.